My website has been hacked lately and it has been defaced. Now I have weird files, don't know where they coming from. I just want to know, what of these files are harmful or can cause that I get hacked again.

The .htaccess contains the following code:

<Files 403.shtml>
order allow,deny
allow from all
</Files>
deny from 121.54.58.159

The file .wysiwygPro_preview_eacf331f0ffc35d4b482f1d15a887d3b.php contains the following code:

6 Answers
6

What is that?

The PHP file is a XSS backdoor. It allows the attacker to provide any HTML with JavaScript in the context of your site. This allows him access to cookies set by your site.

An attacker will trick a victim to do a POST request to that file with the malicious code in the wproPreviewHTML variable. If that user has special permissions on your side e. g. because he is logged in, the attacker will be able to do anything, that use can do.

The forbidden error may be suspicious, too. Some malicious software tries to hide in the error document. As the error documents are usually outside the document root folder for the normal web pages, there is quite a high chance for such modifications to be unnoticed.

What to do now?

You need to setup your server from scratch, as you cannot know the complete impact of the manipulation. It is likely that there is a backdoor hidden somewhere. Do not copy any program files (including scripts and php files) from the compromised server to the new one.

Further more there are some malicious programs for desktop computers, which manipulate php files during upload via FTP or SFTP.

can you provide more details on the backdoor? Is it intended to be malicious, or is it being improperly used?
–
schroeder♦Dec 13 '11 at 16:17

2

@schroeder, the XSS backdoor is malicious. The exploit tries to hide it as a programming mistake. But as this file is created by the attacker and has no other purpose at all, it is safe to assume, malicious intent. There is too little information on how the attacker got access to the server and what server level backdoors he left.
–
Hendrik BrummermannDec 13 '11 at 18:36

1

While the wysiwygPro file is technically an XSS backdoor, most likely it's not something planted by the defacer, but a leftover from a cpanel in-browser file editor like @ChrisDavis noticed in his answer. It should be deleted though.
–
Krzysztof KotowiczJan 3 '12 at 15:10

@KrzysztofKotowicz - I would trust Krzysztof Kotowicz view on the matter before somebody with 21 reputation points and a single answer on this site.
–
RamhoundJan 3 '12 at 15:53

This file .wysiwygPro_preview_eacf331f0ffc35d4b482f1d15a887d3b.php
is not a backdoor to be worried about. It is created by the cpanel file manager whenever you use the built in html editor in the file manager of cpanel.

The files should be deleted though if they are left behind by the editor.

The content of that file, as posted by winona, contains a XSS vulnerability. Do you know if recent versions of that application still create that file? Might be a good idea to open a bug report with the vendor.
–
Hendrik BrummermannJan 3 '12 at 15:52

@Chris Davis - Do you have any evidence besides your word that this file isn't malicious? I wouldn't trust a user with so little reputation, and a clear inability to communicate, and provided no proof. If I had the reputation to downvote this answer I would.
–
RamhoundJan 3 '12 at 15:56

If created by cpanel that the user is using, that would be a relief in that it doesn't indicate the server was compromised. It is wrong to say that is nothing to be worried about even if it was created by legitimate software, however. That is an ugly piece 'o XSS harboring code. For that, my vote is currently +/- 0.
–
Jeff Ferland♦Jan 3 '12 at 16:07

2

According to the question, the website was defaced. So the system was compromised. I think it is a minor point, whether it was this vulnerability or another one, that the attacker used. And whether the file was created by insecure software or left by the attacker. But in the insecure-software-case, it will be a good idea to verify, if the issue still exists in the most recent version, and open a bug report.
–
Hendrik BrummermannJan 3 '12 at 16:29

1

+1 - Tested on Hostgator with a newly created CPanel account, I'm have a reseller account so I could easily create and delete accounts. And by the way, there was also a .smileys folder with a bunch of icons that was created after I started the HTML editor. Nothing to worry about.
–
Nabil KadimiJan 31 '13 at 22:20

As Chris Davis answered, the PHP file is not a malicious backdoor; it is created by the cPanel file manager WYSIWYG editor and it is extremely unlikely that the file has anything to do with the site being defaced.

This is not nearly as insecure as it looks in the original post. The file name is a long random string and another long random string needs to be passed to it to do anything. That string gets updated every time the editor saves. The rest of the file looks something like this:

In the case you are using cpanel and you have used its IP Deny Manager to block access to 121.54.58.159 then this will automatically be written to your .htaccess file with the intended purpose of blocking that IP (and any others you may wish to enter):

<Files 403.shtml>
order allow, deny
allow from all
</Files>
deny from 121.54.58.159

@ChrisMurray I considered that before posting because the bbm answer is fairly close to mine. I thought about editing it at first, but on balance it is as incorrect to assume that cpanel added this text it is to attribute its presence to malware. So essentially, I don't agree that any of the other answers are correct.
–
MagpieDec 16 '14 at 17:37